|
|
MS reveals second DirectShow vuln
Author: Gareth HalfacreePublished: 7th July 2009
The flaw in DirectShow - the second in just over a month - leaves Windows XP and Server 2003 systems vulnerable to attack.
According to CNet, the vulnerability is already seeing “limited attacks” and can result in arbitrary code execution under the privilege of the currently logged in user when a malicious website is visited.
This marks the second major security breach in DirectShow in the past month, and as the issue affects both consumer-level and enterprise-grade Windows installations will once again be causing system administrators to wonder why something so clearly desktop oriented as DirectShow is installed by default in Windows Server 2003.
The report on Microsoft's Security Reponse blog indicates that both Windows XP and Windows Server 2003 are affected – although changes in the way Windows Vista and Windows 7 operate mean that the issue is avoided. Describing the affected ActiveX control as having no “by-design uses” - which raises the question of why it's there in the first place – Microsoft's current advice is to set the kill bits which will prevent the ActiveX control from being loaded pending an official patch.
Perhaps the more interesting way to obviate risk from this latest vulnerability is to upgrade to Internet Explorer 8: reports state that only IE6 and IE7 are affected.
Do you believe that Microsoft needs to seriously investigate why it's installing vulnerable end-user technologies such as DirectShow onto a server operating system, or are you just pleased that the company has quickly identified a work-around? Share your thoughts over in the forums.
Related
Comments (5)- Site Links:
- About
- Email Editor
- Newsletter
- Privacy
- RSS
- Score Guide
- Our Other Websites:
- Auto Express
- Channel Pro
- Computer Buyer
- Computer Shopper
- Den of Geek
All content © bit-tech.net 2000-2010
© Copyright Dennis Publishing Limited licensed by Felden
Windows Live Essentials was a step in the right direction.